[Idr] Error in draft-ietf-idr-sdwan-edge-discovery use of Encapsulation Extended Community

John Scudder <jgs@juniper.net> Tue, 27 February 2024 20:41 UTC

Return-Path: <jgs@juniper.net>
X-Original-To: idr@ietfa.amsl.com
Delivered-To: idr@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 98035C14CF01; Tue, 27 Feb 2024 12:41:45 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.106
X-Spam-Level:
X-Spam-Status: No, score=-7.106 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=juniper.net header.b="CmW7ACoE"; dkim=pass (1024-bit key) header.d=juniper.net header.b="V+1wEiWU"
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id f-T-ktMqhHwk; Tue, 27 Feb 2024 12:41:41 -0800 (PST)
Received: from mx0b-00273201.pphosted.com (mx0a-00273201.pphosted.com [208.84.65.16]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CA4B5C14F5F4; Tue, 27 Feb 2024 12:41:38 -0800 (PST)
Received: from pps.filterd (m0108157.ppops.net [127.0.0.1]) by mx0a-00273201.pphosted.com (8.17.1.24/8.17.1.24) with ESMTP id 41RDProP005956; Tue, 27 Feb 2024 12:41:38 -0800
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=juniper.net; h= from:to:cc:subject:date:message-id:content-type:content-id :content-transfer-encoding:mime-version; s=PPS1017; bh=cijP9Ys76 RVhG5fLQO4/qjKtFw7tLmfkym/D6hClDHA=; b=CmW7ACoE7VvIG4I/ViZ90QRZC PE2auyWcjb/5AW3Gd/myZLaGKkqaPcROXRBvLfuatZOcPB6/xT3BJbhStQPiOmTl lNHhJnI7BHMdaGbjo/gMMHHx4aucxGdC88JnCbDWm8Z0jKE6Jh41XtVv9JiJjB2a xLe5Bo88ttVrVRjVUe06GfxijP2sfWydRjB74h4XGht2uyK0b0d0IQ4CVNdFVdJH GWzV9jrRGrH5zK4WbUyMWAf4vv8vXJb4VqY9lB2i1Tg/fU+8/lOMNsSWtBZwpM6h HE5gbK66YJl8unrucWj1SFZj8MrDanumCeR18/jf7TmT4f8IOkv0Iiq0uKQEg==
Received: from ch1pr05cu001.outbound.protection.outlook.com (mail-northcentralusazlp17010000.outbound.protection.outlook.com [40.93.20.0]) by mx0a-00273201.pphosted.com (PPS) with ESMTPS id 3wfgkmwsk4-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Tue, 27 Feb 2024 12:41:38 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=C3K/cGl42geuDcwAEMO1gEVuBgsJcy0aTlewJk2Qwj/TEjieH/twGf4wv18pDE1SKwNqMhiT2PUwFnLtA50hLZh+2wM83whNyUrx7X3l7jyfAxbE+rZ06ImCeH8oEFiZzX6bSgo6AcwYdIlge7++3njX09nqrfP2cpYrX2lHXJeGKjitDiRI0Zh2M1yUSwhtxdc7bbC9hRUqbmgYFZ0JbtY3J6xTzPcBOA0I0FI5sHtb58yNLj4XP73lm2HDS/jSORxjMtd0sC5zAU/Z+opqI/qo8IN/SJVJoekq9cNS54NCfCMJl6eNXegG7Z2ULC6kyjPxG5Vi2jjhLbPqmk+rew==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=cijP9Ys76RVhG5fLQO4/qjKtFw7tLmfkym/D6hClDHA=; b=HJkhywQHQ3HPxI5+8jNPu5cN/m+ReLuYHruiDOa2kmqsqj+L86cvF2W+leuh4+SmRbieYYIMVfMhrhZpW2Kg9JnH9Ao/+J4S/nHUK0P18r7RxdgsGmzxop9AuZc3m4P6H9ZMpDyYC+aAQen/coWd0hkh/PjQrX+09DDxvhkvOsGe+7YN+gwKdc3ZMQL2mUhl9PQYvYWb4c2/0PDi1GOyvsZ++ZhkPejWofLntzURggcLkbG+T4MTx+lzx7LLzkxTIHv5NFWpoTiCJ062G7rg5dYWXdeJi7OnEaDImvI2kXaUCc6uoOIU3FLga3YkX3amX5rq7qqYB6SdeWhJvv4/vQ==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=juniper.net; dmarc=pass action=none header.from=juniper.net; dkim=pass header.d=juniper.net; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=juniper.net; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=cijP9Ys76RVhG5fLQO4/qjKtFw7tLmfkym/D6hClDHA=; b=V+1wEiWUxY3UXX1ID1zJcimqoYgQuF1x3dCZm4JOP1XkVUWIhK+jgeTuMON+nns1ut7btMFUdBY7u+aM8k69Dl1j7wT0EYJO/FCY8xmpSLtWmvOLHOmrZVcReyDTSwCRmOEPTS63NMmOtnkLA7hcP+LbTkj1W4pFW1hkQGsonps=
Received: from CH2PR05MB6856.namprd05.prod.outlook.com (2603:10b6:610:3e::11) by SN7PR05MB7632.namprd05.prod.outlook.com (2603:10b6:806:10f::20) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.7316.36; Tue, 27 Feb 2024 20:41:36 +0000
Received: from CH2PR05MB6856.namprd05.prod.outlook.com ([fe80::e182:8767:9915:7b07]) by CH2PR05MB6856.namprd05.prod.outlook.com ([fe80::e182:8767:9915:7b07%6]) with mapi id 15.20.7316.034; Tue, 27 Feb 2024 20:41:35 +0000
From: John Scudder <jgs@juniper.net>
To: "draft-ietf-idr-sdwan-edge-discovery@ietf.org" <draft-ietf-idr-sdwan-edge-discovery@ietf.org>
CC: "idr@ietf.org" <idr@ietf.org>
Thread-Topic: Error in draft-ietf-idr-sdwan-edge-discovery use of Encapsulation Extended Community
Thread-Index: AQHaab1aJbLjWCwZYUyhASue85C1Xw==
Date: Tue, 27 Feb 2024 20:41:35 +0000
Message-ID: <7FDF55CE-3E6B-47EC-8504-C9884BD212A9@juniper.net>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-mailer: Apple Mail (2.3774.400.31)
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: CH2PR05MB6856:EE_|SN7PR05MB7632:EE_
x-ms-office365-filtering-correlation-id: fc54c934-85ec-49cf-1597-08dc37d47d74
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: /S2MH3K9bB0qJ/zoNj09Jhg22tohm9IhFnOamQDQF64E5aT7tWt+NUwxqmO+b5GtEvsnAdgh2xe+F45t775Lz9wks2W/YVVcG7Wl8o8pkU0vKrmagVhTgJcab5ucIz4e+lSqXdNLNs1rv3HLf+SE0A4Sf1vYKXX8oTGhs5k0kDIudv77uKOL6fiVBnfYugIBSGhgW6vv0GvVjkrdrNhuQloOzgPZNV9uSEdvmILRxlCKWLPRdwFy46xF16i9AjKefT+pqU4l80fjzv++Xn3e2TqtHbX5F2qlP/onaitnBZiIwIRO2Sy88BkObm259ET5uqKGHDsNnvMDi1yVruqbNe2qQvnfZ2wXUUUHft+ZHGhUJCOf1MLkwK24wX8qxqHdgtY0SLp67kB0alsnDTfVMRyo/boW+0PlymM4mMNX+EudWtsWxN338FfNQIeBYYKHDHWiDGNei2cZ6fqW3vtExN7M760idsPYjGoN5zxXY1B5sX69ZQD+CKlSdzIWrlZrVV1ozW11/NRxZ4jqStNhSPjf2llOG7mRzQbP6NhIS/IZlSGPsKh8O/sK2bMQzbOfmfW40s0ZLzymS83bIyrKPqsBVH31cl/goX//n9nAqHK4kTi1yVcFjFAWXIKN7ewsUW8aiJ9DOPH1Otkqu9hdtKNiwipigr2rfHt/oQnZtP40PwQGJzIxvoBuyEq+Y5g2q4szo+5upVqfl/MAHqiwYhOQbGpf8jKvr6dPmijxkic=
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:CH2PR05MB6856.namprd05.prod.outlook.com; PTR:; CAT:NONE; SFS:(13230031)(38070700009); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: MYfk2cJJmtxdsFqpSJPt4vLKDFe1mAdZABhwrebsG7DnPDwWPFZwmfI6EnVDrd3LY2gHMsvNMAGNjfjLzbXZUvak2f1DnXxBmh5exThvhwmSHZdmpiHAedKhdhnQ//fYmamp0pxYrz7kbGDwwDImAp4/dL2TsYMrfM6+q9j1xrdX9Hmu5DzMwc9FWuMCoDDTjviafbV9d/K7LByEFo4D9yO5H2Av+SGVLJPQyQWpItoQMzkebdSPhyCOpKdAWYIqFeo2v88GlZLilUo8L+qoxMkYpOJrCG1A3obdVSCYUSQP0rvCnQXVI4tWgW9TDQCHTS+EHwC//LQYxVJ7s3KcljTJqxvVo1o8dKZzj5EQItLkQSg3Qfo0oOlsPlTN+BAh9sF+DD+sgeq9qka+JaPJwxIDVs+ehA/B+ncIedgrrkjKKTYvzPMBfDjiNZ+4IHX5GKmaKrXEv+bDD5Q6ngh24mNfHxAu1XxhXjWksKO57OjPgMj/yXv45Qxn0bmpxwoJEJVza9C67omyhIvO7OtHHG8iE7KrYBo6C9O+R3cbLrX7ya7Nb9N0e6by+AtvDfAIr25+/rRVlf5Vldx913j8+g04OTkkV3HrAK4PzDLVzUJrxZMgYmp5kQS5oF+fyDsPsaOkJbxfUIIsHWn+Jali2JqpX43r3aIsuMHDXj3zN9DSQjrtVeBRgmIbIUY5fP/df38KEpD1fVFjfJnek7mIYphq26RXfpIofnTl9s0yXCceQAjTdRdYQvHaQ4TOIIcR4/6phiaH1ZmHIPBq3OgvF+ZzoX9ujiRCp8/RJXZe/pO2ARds7cB6dlz2xsklMUXGVfYq8mj17tCrBQabJKpCeEsWsTAD55hgMi8DgjZAKa3Oo0TZLbKV22TV10hix9mLmqaYmov1JehfZo0lyKktVdJ9elQPlCLGpbZ45OklwVwSByQUBnE2jzRCpd8PQICtKYME94gChUW2xIiwVJvmKyloAGnHznzgiS35hR1AcTERHtvoLQYMW1UwW8pxD47cY5PjrQhCMa+1jUe7Q5MLMNex0vqkCsUzvKw+v1M8y7EusVZ+GxzJQt56sVvPgz+I1jDfKRJ0RigTFn27ppL6dVIzI/7f4yPLwbWj1nFx4Ky074Jm8N4LRBlmaWh3ygdg55CRDQFlu35mVpsJqAYXS4m9iYNzZgGanN0AZSSfByM9tYkzpkhPhmWad2WNUgj9nfElnnVbZ6CGpO0hFjgP3QHuwj2/5Xz8vQgMHSnljEsv6c0KQPX8I5hLFcBN2z9ShEnevzd0unxA0UH6Io7V7mM7qYbAREX9CL4D+YHlOGXBtAKBIPe8EEPvM1Ld0xwlhJBdZ/W5kAu7Fs3JceXyfBnTqKDpYRX/8Yh1TKsiFP/UyR5cPvh0g6Ik3UX+XtnZAzfOYoXRYSmWVqTeBJTYaFJYnkUf2yYBLOMsSI1NxNkG90TUHWv0kNxaWMLlR7T8xWHJFyKQR/5iHw3kNxCPmGQ4cShFScZV7qzSyyc/gv0y2iYXfA7mexdjEGULQo7/GFtffmECa5UBiYr2XCFtkXeBJmm4mZewP176P8ys+Hnb1reL+oSU4UdgahiuJc3w
Content-Type: text/plain; charset="utf-8"
Content-ID: <ADE55BD65B8F3C43B9808DCA175D4958@namprd05.prod.outlook.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: juniper.net
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: CH2PR05MB6856.namprd05.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: fc54c934-85ec-49cf-1597-08dc37d47d74
X-MS-Exchange-CrossTenant-originalarrivaltime: 27 Feb 2024 20:41:35.6780 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: bea78b3c-4cdb-4130-854a-1d193232e5f4
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: AtK5oNSX8l6kmNdMCRD6NusL6pVSsGVIKb2I9byBrhDgcaLdFlIJ8MnNRKvB2x6F
X-MS-Exchange-Transport-CrossTenantHeadersStamped: SN7PR05MB7632
X-Proofpoint-GUID: 205vnDy9XmOddT_oUS12dZeDTih9f5mU
X-Proofpoint-ORIG-GUID: 205vnDy9XmOddT_oUS12dZeDTih9f5mU
X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.272,Aquarius:18.0.1011,Hydra:6.0.619,FMLib:17.11.176.26 definitions=2024-02-27_07,2024-02-27_01,2023-05-22_02
X-Proofpoint-Spam-Details: rule=outbound_spam_notspam policy=outbound_spam score=0 adultscore=0 priorityscore=1501 spamscore=0 impostorscore=0 mlxscore=0 suspectscore=0 phishscore=0 clxscore=1011 malwarescore=0 bulkscore=0 mlxlogscore=774 lowpriorityscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.19.0-2402120000 definitions=main-2402270159
Archived-At: <https://mailarchive.ietf.org/arch/msg/idr/umBB5yfoC3mFMpIWIT2K8159Gos>
Subject: [Idr] Error in draft-ietf-idr-sdwan-edge-discovery use of Encapsulation Extended Community
X-BeenThere: idr@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Inter-Domain Routing <idr.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/idr>, <mailto:idr-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/idr/>
List-Post: <mailto:idr@ietf.org>
List-Help: <mailto:idr-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/idr>, <mailto:idr-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 27 Feb 2024 20:41:45 -0000

Hi Authors, WG,

I just noticed draft-ietf-idr-sdwan-edge-discovery-12 and was looking at its use of RFC 9012. There seems to be a fundamental misunderstanding of how the Encapsulation Extended Community can be used, and I thought you should be aware of it. TL;DR, you’re specifying the use of SD-WAN-Hybrid tunnel type in an Encapsulation Extended Community, but this isn’t allowed. Details follow.

- RFC 9012, Section 4.1 tells us that the only permissible use of the Encapsulation Extended Community is when there are *no sub-TLVs*, other than the Address Family sub-TLV (item 3 in the list of conditions).

- In draft-ietf-idr-sdwan-edge-discovery-12 Section 6.3 we see the definition of the IPsec-SA-ID Sub-TLV of the SD-WAN-Hybrid tunnel type. This seems pretty central to the purpose of the spec. So, the SD-WAN-Hybrid tunnel type does have sub-TLVs in addition to the Address Family, and therefore MUST NOT be used in an Encapsulation Extended Community.

- Also, in draft-ietf-idr-sdwan-edge-discovery-12 Section 5.1 we see that the client route update uses the Encapsulation Extended Community (emphasis added):

```
5.  Client Route UPDATE

   The SD-WAN network's Client Route UPDATE message is the same as the
   L3 VPN or EVPN client route UDPATE message.  The SD-WAN Client Route
   UPDATE message uses the **Encapsulation Extended Community** and the
   Color Extended Community to link with the SD-WAN Underlay UPDATE
   Message.
```

- It’s clear from other parts of the spec that the tunnel type is SD-WAN-Hybrid, for example, this is both stated in Section 3.3, and then used in the example (same section). 

- But RFC 9012 §4.1 told us we can’t use a tunnel type with sub-TLVs as an Encapsulation Extended Community!

I think what you really must be trying to do is use the Tunnel Encapsulation attribute (only!) to carry the SD-WAN-Hybrid in the SD-WAN Underlay route, and then have the client routes making use of that tunnel recurse into the underlay route (including tunnel) as per RFC 9012 Section 8. Note that Section 8 does NOT require that the client route carry the Encapsulation Extended Community — the next hop address is both necessary and sufficient to effectuate the linkage to the underlay route.

Thanks,

—John